Virus:TR/Rogue.KD.744776
Date discovered:01/10/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:966656 Bytes
MD5 checksum:9f7e870865b7dfb2219a0f547389b742
VDF version:7.11.44.196 - Monday, October 1, 2012
IVDF version:7.11.44.196 - Monday, October 1, 2012

 General Methods of propagation:
   • Autorun feature
   • Local network
   • Messenger


Aliases:
   •  Kaspersky: Worm.Win32.Ngrbot.mbn
   •  Bitdefender: Trojan.Generic.KD.744776
   •  Grisoft: BackDoor.Agent.ASAY
   •  Eset: Win32/Dorkbot.B worm
   •  GData: Trojan.Generic.KD.744776
   •  Norman: Trojan W32/Troj_Generic.EMNWO


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Can be used to modify system settings that allow or augment potential malware behaviour.
   • Registry modification

 Files It copies itself to the following location:
   • %appdata%\%six-digit random character string%.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Bwzizj"="%appdata%\%six-digit random character string%.exe"



The following registry keys are added in order to load the services after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aif\OpenWithProgids]
   • "AIFFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aifc\OpenWithProgids]
   • "AIFFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aiff\OpenWithProgids]
   • "AIFFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .asf\OpenWithProgids]
   • "ASFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .asx\OpenWithProgids]
   • "ASXFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .au\OpenWithProgids]
   • "AUFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .avi\OpenWithProgids]
   • "avifile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .bmp\OpenWithProgids]
   • "Paint.Picture"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .css\OpenWithProgids]
   • "CSSfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .dib\OpenWithProgids]
   • "Paint.Picture"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .doc\OpenWithProgids]
   • "WordPad.Document.1"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .dvr-ms\OpenWithProgids]
   • "WMP.DVR-MSFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .emf\OpenWithProgids]
   • "emffile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .gif\OpenWithProgids]
   • "giffile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .htm\OpenWithProgids]
   • "htmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .html\OpenWithProgids]
   • "htmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .ico\OpenWithProgids]
   • "icofile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .IVF\OpenWithProgids]
   • "IVFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jfif\OpenWithProgids]
   • "pjpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpe\OpenWithProgids]
   • "jpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpeg\OpenWithProgids]
   • "jpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpg\OpenWithProgids]
   • "jpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m1v\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m3u\OpenWithProgids]
   • "m3ufile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mid\OpenWithProgids]
   • "midfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .midi\OpenWithProgids]
   • "midfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp2\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp2v\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp3\OpenWithProgids]
   • "mp3file"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpa\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpe\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpeg\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpg\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpv2\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .png\OpenWithProgids]
   • "pngfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rmi\OpenWithProgids]
   • "midfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rtf\OpenWithProgids]
   • "rtffile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .snd\OpenWithProgids]
   • "AUFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .tif\OpenWithProgids]
   • "TIFImage.Document"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .tiff\OpenWithProgids]
   • "TIFImage.Document"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .txt\OpenWithProgids]
   • "txtfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wav\OpenWithProgids]
   • "soundrec"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wax\OpenWithProgids]
   • "WAXFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wm\OpenWithProgids]
   • "ASFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wma\OpenWithProgids]
   • "WMAFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmf\OpenWithProgids]
   • "wmffile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmv\OpenWithProgids]
   • "WMVFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmx\OpenWithProgids]
   • "ASXFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wpl\OpenWithProgids]
   • "WPLFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wri\OpenWithProgids]
   • "wrifile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wvx\OpenWithProgids]
   • "WVXFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .xml\OpenWithProgids]
   • "xmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .xsl\OpenWithProgids]
   • "xslfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .zip\OpenWithProgids]
   • "CompressedFolder"=hex:



The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .eml\OpenWithProgids]
   • "Microsoft Internet Mail Message"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mht\OpenWithProgids]
   • "mhtmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mhtml\OpenWithProgids]
   • "mhtmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .nws\OpenWithProgids]
   • "Microsoft Internet News Message"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .URL\OpenWithProgids]
   • "InternetShortcut"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wdp\OpenWithProgids]
   • "wdpfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmp\OpenWithProgids]
   • "WMPFile"=hex:

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • sp.3**********.kz


Event handler:
It creates the following Event handlers:
   • ReadProcessMemory
   • WriteProcessMemory
   • CreateRemoteThread
   • InternetReadFile
   • URLDownloadToFile
   • InternetOpenUrl
   • InternetOpen
   • CreateFile


String:
Furthermore it contains the following strings:
   • AV_sites
   • Money_sites
   • Socialnetworks
   • Starting flood
   • IRC Command
   • login
   • password
   • banking
   • pin
   • money
   • account
   • login.yahoo.*/*login*
   • facebook.*/login.php*
   • runescape*/*weblogin*
   • mediafire.com/*login*
   • freakshare.com/login*
   • uploading.com/*login*
   • filesonic.com/*login*
   • namecheap.com/*login*
   • vkontakte.ru/api.php
   • friendster.*/rpc.php
   • steampowered*/login*
   • megaupload.*/*login*
   • sendspace.com/login*
   • TextfieldPassword=*
   • fileserv.com/login*
   • loginUserPassword=*
   • uploaded.to/*login*
   • alertpay.com/login*
   • moniker.com/*Login*
   • dotster.com/*login*
   • Friendster Message
   • signin.ebay*SignIn
   • 4shared.com/login*
   • hotfile.com/login*
   • netflix.com/*ogin*
   • godaddy.com/login*
   • HTTP Traffic]: %s
   • USB]: Infected %s
   • aol.*/*login.psp*

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Wensin Lee on Wednesday, October 3, 2012
Description updated by Wensin Lee on Wednesday, October 3, 2012

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.